CVE-2026-42523 PUBLISHED

Assigner: jenkins
Reserved: 28.04.2026 Published: 29.04.2026 Updated: 29.04.2026

Jenkins GitHub Plugin 1.46.0 and earlier improperly processes the current job URL as part of JavaScript implementing validation of the feature "GitHub hook trigger for GITScm polling", resulting in a stored cross-site scripting (XSS) vulnerability exploitable by non-anonymous attackers with Overall/Read permission.

Product Status

Vendor	Jenkins Project
Product	Jenkins GitHub Plugin
Versions	Default: unaffected affected from 0 to 1.46.0 (incl.)

References

Jenkins Security Advisory 2026-04-29